From f54035fe36c158dc949408252429b80b4f948da0 Mon Sep 17 00:00:00 2001 From: Andreas Gruhler Date: Wed, 7 Aug 2024 09:17:00 +0200 Subject: [PATCH 1/5] feat(kubernetes-etcd-backup): skip tls verify etcdctl can be run with the `--insecure-skip-tls-verify` to skip tls verification of the etcd endpoint. This is useful in some deployments, for instance, when the etcd cluster is external to Kubernetes and the Kubernetes endpoint name (e.g., `etcd.kube-system.svc.cluster.local`) does not match the names in the certificates of the external etcd cluster. --- charts/kubernetes-etcd-backup/README.md | 1 + charts/kubernetes-etcd-backup/templates/configmap.yaml | 3 +++ charts/kubernetes-etcd-backup/values.yaml | 3 +++ 3 files changed, 7 insertions(+) diff --git a/charts/kubernetes-etcd-backup/README.md b/charts/kubernetes-etcd-backup/README.md index f4b265e53..03e5fd846 100644 --- a/charts/kubernetes-etcd-backup/README.md +++ b/charts/kubernetes-etcd-backup/README.md @@ -30,6 +30,7 @@ This chart is maintained by [Adfinis](https://adfinis.com/?pk_campaign=github&pk | etcdConfiguration.endpoint | string | `"changeme"` | Etcd endpoint ip or hostname without protocol or port | | extraVolumeMounts | list | `[]` | | | extraVolumes | list | `[]` | | +| etcdConfiguration.insecureSkipTlsVerify | bool | `false` | skip server certificate verification | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"Always"` | Image pull policy configuration | | image.repository | string | `"ghcr.io/adfinis/kubernetes-etcd-backup"` | Repository image to use | diff --git a/charts/kubernetes-etcd-backup/templates/configmap.yaml b/charts/kubernetes-etcd-backup/templates/configmap.yaml index 932f76ab2..10809a270 100644 --- a/charts/kubernetes-etcd-backup/templates/configmap.yaml +++ b/charts/kubernetes-etcd-backup/templates/configmap.yaml @@ -12,3 +12,6 @@ data: ETCD_BACKUP_KEEP_COUNT: {{ .Values.backup.keepcount | quote }} ETCD_BACKUP_UMASK: {{ .Values.backup.umask | quote }} ENDPOINT: {{ .Values.etcdConfiguration.endpoint | quote }} + {{- if .Values.etcdConfiguration.insecureSkipTlsVerify }} + ETCDCTL_INSECURE_SKIP_TLS_VERIFY: "true" + {{- end }} diff --git a/charts/kubernetes-etcd-backup/values.yaml b/charts/kubernetes-etcd-backup/values.yaml index 474b305d8..7c9c3cd20 100644 --- a/charts/kubernetes-etcd-backup/values.yaml +++ b/charts/kubernetes-etcd-backup/values.yaml @@ -23,6 +23,9 @@ backup: etcdConfiguration: # -- Etcd endpoint ip or hostname without protocol or port endpoint: "changeme" + # -- skip server certificate verification + insecureSkipTlsVerify: false + etcdCertification: # -- etcd-peer-tls secret name From 87a3d55f36cdd979fcf3f0f3b4c4090095178bac Mon Sep 17 00:00:00 2001 From: Andreas Gruhler Date: Wed, 7 Aug 2024 09:23:49 +0200 Subject: [PATCH 2/5] feat: update artifacthub annotation --- charts/kubernetes-etcd-backup/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubernetes-etcd-backup/Chart.yaml b/charts/kubernetes-etcd-backup/Chart.yaml index 2d5dbe45d..37b04bc41 100644 --- a/charts/kubernetes-etcd-backup/Chart.yaml +++ b/charts/kubernetes-etcd-backup/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v2 name: kubernetes-etcd-backup description: Chart for kubernetes-etcd-backup solution type: application -version: 1.2.0 +version: 1.3.0 appVersion: v1.0.6 keywords: - kubernetes-etcd-backup @@ -20,4 +20,4 @@ maintainers: annotations: artifacthub.io/changes: | - kind: changed - description: "Allow configuration of extraVolume/Mounts" + description: "Add insecureSkipTlsVerify flag" From f4a0204099faf1adf60410eafab61edd355ed7a7 Mon Sep 17 00:00:00 2001 From: Andreas Gruhler Date: Wed, 7 Aug 2024 09:42:10 +0200 Subject: [PATCH 3/5] doc: improve description of Values --- charts/kubernetes-etcd-backup/README.md | 3 ++- charts/kubernetes-etcd-backup/values.yaml | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/charts/kubernetes-etcd-backup/README.md b/charts/kubernetes-etcd-backup/README.md index 03e5fd846..0d6337f09 100644 --- a/charts/kubernetes-etcd-backup/README.md +++ b/charts/kubernetes-etcd-backup/README.md @@ -27,10 +27,11 @@ This chart is maintained by [Adfinis](https://adfinis.com/?pk_campaign=github&pk | backup.umask | string | `"0027"` | Set umask during the backup | | etcdCertification.etcdPeerTlsName | string | `"changeme"` | etcd-peer-tls secret name | | etcdCertification.etcdServerCaName | string | `"changeme"` | etcd-server-ca secret name | -| etcdConfiguration.endpoint | string | `"changeme"` | Etcd endpoint ip or hostname without protocol or port | | extraVolumeMounts | list | `[]` | | | extraVolumes | list | `[]` | | | etcdConfiguration.insecureSkipTlsVerify | bool | `false` | skip server certificate verification | +| etcdConfiguration.endpoint | string | `"changeme"` | Etcd endpoint ip or hostname without protocol or port Example: etcd.kube-system.svc.cluster.local | +| etcdConfiguration.insecureSkipTlsVerify | bool | `false` | Skip server certificate verification Useful for scenarios where etcd nodes are external endpoints (access through etcd service in kube-system namespace) and have a different CN/SAN in the certificate . Otherwise, "failed to verify certificate: x509: certificate is valid for etcd-2, etc., not etcd.kube-system.svc.cluster.local" | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"Always"` | Image pull policy configuration | | image.repository | string | `"ghcr.io/adfinis/kubernetes-etcd-backup"` | Repository image to use | diff --git a/charts/kubernetes-etcd-backup/values.yaml b/charts/kubernetes-etcd-backup/values.yaml index 7c9c3cd20..334b2ee68 100644 --- a/charts/kubernetes-etcd-backup/values.yaml +++ b/charts/kubernetes-etcd-backup/values.yaml @@ -22,8 +22,14 @@ backup: etcdConfiguration: # -- Etcd endpoint ip or hostname without protocol or port + # Example: etcd.kube-system.svc.cluster.local endpoint: "changeme" - # -- skip server certificate verification + # -- Skip server certificate verification + # Useful for scenarios where etcd nodes are external endpoints (access + # through etcd service in kube-system namespace) and have a different CN/SAN + # in the certificate . Otherwise, "failed to verify certificate: x509: + # certificate is valid for etcd-2, etc., not + # etcd.kube-system.svc.cluster.local" insecureSkipTlsVerify: false From 4ffb26bf4915d527b37577409728c2453ba37a05 Mon Sep 17 00:00:00 2001 From: Andreas Gruhler Date: Wed, 7 Aug 2024 16:46:07 +0200 Subject: [PATCH 4/5] Update charts/kubernetes-etcd-backup/values.yaml Co-authored-by: Lukas Grossar --- charts/kubernetes-etcd-backup/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/kubernetes-etcd-backup/values.yaml b/charts/kubernetes-etcd-backup/values.yaml index 334b2ee68..5d5f44d68 100644 --- a/charts/kubernetes-etcd-backup/values.yaml +++ b/charts/kubernetes-etcd-backup/values.yaml @@ -32,7 +32,6 @@ etcdConfiguration: # etcd.kube-system.svc.cluster.local" insecureSkipTlsVerify: false - etcdCertification: # -- etcd-peer-tls secret name etcdPeerTlsName: "changeme" From 087979401d1644db9eb77a9bea00e05ad4d1e945 Mon Sep 17 00:00:00 2001 From: Andreas Gruhler Date: Wed, 7 Aug 2024 16:53:53 +0200 Subject: [PATCH 5/5] chore: run pre-commit hooks --- README.md | 2 +- charts/kubernetes-etcd-backup/README.md | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 972b9d391..2749a53b9 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ for more in-depth information. | [common](charts/common) | Common chartbuilding components ... | ![Version: 0.x](https://img.shields.io/badge/version-0.x-brightgreen) | ![App version: 0.x](https://img.shields.io/badge/app%20version-0.x-brightgreen) | | [csi-secret-provider-class](charts/csi-secret-provider-class) | A Helm chart to create a SecretP... | ![Version: 0.x](https://img.shields.io/badge/version-0.x-brightgreen) | ![App version: 0.x](https://img.shields.io/badge/app%20version-0.x-brightgreen) | | [customer-center](charts/customer-center) | Chart for Customer-Center applic... | ![Version: 0.x](https://img.shields.io/badge/version-0.x-brightgreen) | ![App version: 3.3.x](https://img.shields.io/badge/app%20version-3.3.x-brightgreen) | -| [kubernetes-etcd-backup](charts/kubernetes-etcd-backup) | Chart for kubernetes-etcd-backup... | ![Version: 1.2.x](https://img.shields.io/badge/version-1.2.x-brightgreen) | ![App version: 1.0.x](https://img.shields.io/badge/app%20version-1.0.x-brightgreen) | +| [kubernetes-etcd-backup](charts/kubernetes-etcd-backup) | Chart for kubernetes-etcd-backup... | ![Version: 1.3.x](https://img.shields.io/badge/version-1.3.x-brightgreen) | ![App version: 1.0.x](https://img.shields.io/badge/app%20version-1.0.x-brightgreen) | | [mopsos](charts/mopsos) | Deploy Mopsos to a Kubernetes Cl... | ![Version: 0.x](https://img.shields.io/badge/version-0.x-brightgreen) | ![App version: 0.x](https://img.shields.io/badge/app%20version-0.x-brightgreen) | | [openshift-etcd-backup](charts/openshift-etcd-backup) | Chart for openshift-etcd-backup ... | ![Version: 1.8.x](https://img.shields.io/badge/version-1.8.x-brightgreen) | ![App version: 1.8.x](https://img.shields.io/badge/app%20version-1.8.x-brightgreen) | | [osschallenge](charts/osschallenge) | Chart for OSS-Challenge application | ![Version: 0.x](https://img.shields.io/badge/version-0.x-brightgreen) | ![App version: ed.x](https://img.shields.io/badge/app%20version-ed.x-brightgreen) | diff --git a/charts/kubernetes-etcd-backup/README.md b/charts/kubernetes-etcd-backup/README.md index 0d6337f09..67d54d501 100644 --- a/charts/kubernetes-etcd-backup/README.md +++ b/charts/kubernetes-etcd-backup/README.md @@ -1,6 +1,6 @@ # kubernetes-etcd-backup -![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.6](https://img.shields.io/badge/AppVersion-v1.0.6-informational?style=flat-square) +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.6](https://img.shields.io/badge/AppVersion-v1.0.6-informational?style=flat-square) Chart for kubernetes-etcd-backup solution @@ -27,11 +27,10 @@ This chart is maintained by [Adfinis](https://adfinis.com/?pk_campaign=github&pk | backup.umask | string | `"0027"` | Set umask during the backup | | etcdCertification.etcdPeerTlsName | string | `"changeme"` | etcd-peer-tls secret name | | etcdCertification.etcdServerCaName | string | `"changeme"` | etcd-server-ca secret name | -| extraVolumeMounts | list | `[]` | | -| extraVolumes | list | `[]` | | -| etcdConfiguration.insecureSkipTlsVerify | bool | `false` | skip server certificate verification | | etcdConfiguration.endpoint | string | `"changeme"` | Etcd endpoint ip or hostname without protocol or port Example: etcd.kube-system.svc.cluster.local | | etcdConfiguration.insecureSkipTlsVerify | bool | `false` | Skip server certificate verification Useful for scenarios where etcd nodes are external endpoints (access through etcd service in kube-system namespace) and have a different CN/SAN in the certificate . Otherwise, "failed to verify certificate: x509: certificate is valid for etcd-2, etc., not etcd.kube-system.svc.cluster.local" | +| extraVolumeMounts | list | `[]` | | +| extraVolumes | list | `[]` | | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"Always"` | Image pull policy configuration | | image.repository | string | `"ghcr.io/adfinis/kubernetes-etcd-backup"` | Repository image to use |